• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1484
  • Last Modified:

Cisco ASA 5510 how to clear access list rule that is cached

no access-list outside_access_in extended deny ip host 24.xxx.xxx.xxx any
access-group outside_access_in in interface outside

I removed this deny on this ip- but that IP still cannot access the network since i removed it.

Is there a clear command on the ASA to clear an active acl? I am getting Deny TCP (no connection) .... RST flags for this ip-

0
trininfo17
Asked:
trininfo17
  • 5
  • 4
2 Solutions
 
Michael OrtegaSales & Systems EngineerCommented:
How about just power cycling the firewall?

MO
0
 
trininfo17Author Commented:
Not really an option the asa's are high availability mode and concurrency is high so it would require a scheduled downtime request.  trying to do this live
0
 
Michael OrtegaSales & Systems EngineerCommented:
If they are High Avail then a reboot should affect anything on a reboot, right?

MO
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
trininfo17Author Commented:
no because they are stateful - standby gets exact running-config as active.  
0
 
Michael OrtegaSales & Systems EngineerCommented:
Gotcha. I just assumed you were active/active. Can you post your running-config? Please blank out any sensitive information.

MO
0
 
Michael OrtegaSales & Systems EngineerCommented:
Have you already tried to clear the access-list counter?

clear access-list counter outside_access_in

MO
0
 
trininfo17Author Commented:
yes - tried clear xlate and clear access-list counters

pasting in the running config isnt going to be too useful-- all other appropriate traffic passes as prescribed.  Its just this one deny ip rule that was removed--  it doesnt seem to be removed as traffic from that IP gets the following:

6|Mar 26 2010 12:50:42|106015: Deny TCP (no connection) from 24.xxx.xxx.xxx/4949 to 24.xxx.xxx.xxx/21 flags RST  on interface outside
6|Mar 26 2010 12:50:42|302014: Teardown TCP connection 24474959 for outside:24.xxx.xxx.xxx/4949 to inside:10.xxx.xxx.xxx/21 duration 0:00:00 bytes 101 TCP FINs
6|Mar 26 2010 12:50:42|302013: Built inbound TCP connection 24474959 for outside:24.xxx.xxx.xxx/4949 (24.xxx.xxx.xxx/4949) to inside:10.xxx.xxx.xxx/21 (24.xxx.xxx.xxx/21)

Open in new window

0
 
Michael OrtegaSales & Systems EngineerCommented:
There doesn't seem to be any else you can do, but reload the device. Have you tried a call to Cisco yet? 24/7 phone support even if the ASA isn't under a current SmartNET subscription. I recommend you give Cisco a call or hold out until you can reload the unit, and see what happens after it starts back up.

MO
0
 
trininfo17Author Commented:
i had to use the GUI to save the access list-- that cleared the cache
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now